From: Gathman, Jonathan (jg1555) Date: Mon, 8 Jul 2019 22:57:32 +0000 (-0500) Subject: Cred delete fixes X-Git-Tag: 2.1.15~12^2~1 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=d0d6604a0371457d84eceb56d9fff668e865253f Cred delete fixes Issue-ID: AAF-857 Change-Id: I5e590eec0e18a17bb9f89d7f704c86fca3f377de Signed-off-by: Gathman, Jonathan (jg1555) --- diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java index 868f9ac2..37501967 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java @@ -53,7 +53,8 @@ public class CredDAO extends CassDAOImpl { public static final String TABLE = "cred"; public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F public static final int RAW = -1; - public static final int FQI = 0; + public static final int NONE = 0; + public static final int FQI = 10; public static final int BASIC_AUTH = 1; public static final int BASIC_AUTH_SHA256 = 2; public static final int CERT_SHA256_RSA =200; diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java index 8d15c958..b0680621 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/PermLookup.java @@ -27,6 +27,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.TreeMap; import java.util.TreeSet; import org.onap.aaf.auth.dao.cass.PermDAO; @@ -44,7 +45,7 @@ import org.onap.aaf.auth.layer.Result; * */ // Package on purpose -class PermLookup { +public class PermLookup { private AuthzTrans trans; private String user; private Question q; @@ -55,7 +56,7 @@ class PermLookup { private PermLookup() {} - static PermLookup get(AuthzTrans trans, Question q, String user) { + public static PermLookup get(AuthzTrans trans, Question q, String user) { PermLookup lp=null; Map permMap = trans.get(Question.PERMS, null); if (permMap == null) { @@ -152,13 +153,32 @@ class PermLookup { List lpdd = new ArrayList<>(); for (String perm : rss.value) { if (lookup) { + Map mspdd = new TreeMap<>(); Result ap = PermDAO.Data.decodeToArray(trans, q, perm); if (ap.isOK()) { Result> rlpd = q.permDAO().read(perm,trans,ap.value); if (rlpd.isOKhasData()) { for (PermDAO.Data pData : rlpd.value) { - lpdd.add(pData); + // ONLY add perms/roles which are related to this lookup + for(String pdr : pData.roles(false)) { + for(RoleDAO.Data r : roles.value) { + if(pdr.equals(r.encode())) { + PermDAO.Data pdd = mspdd.get(pData.fullPerm()); + if(pdd==null) { + pdd = new PermDAO.Data(); + pdd.ns = pData.ns; + pdd.type = pData.type; + pdd.instance = pData.instance; + pdd.action = pData.action; + pdd.description = pData.description; + lpdd.add(pdd); + } + pdd.roles(true).add(pdr); + break; + } + } + } } } } else { diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index ae6f371b..3abad1a5 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -974,6 +974,7 @@ public class Question { return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0); case CredDAO.BASIC_AUTH: return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0); + case CredDAO.FQI: default: return Result.ok(false); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java index 42306c85..add5aed8 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java @@ -166,7 +166,7 @@ public class List extends BaseCmd { case 0: return "NoCrd"; case 1: return "U/P"; case 2: return "U/P2"; - case 10: return "Cert"; + case 10: return "FQI"; case 200: return "x509"; default: return "n/a"; diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java index f8a633af..2f84f583 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/List.java @@ -104,7 +104,7 @@ public class List extends BaseCmd { if (roles==null || roles.getRole().isEmpty()) { pw().println(""); } else if (aafcli.isDetailed()){ - if (aafcli.isDetailed() && str[0].toLowerCase().contains(LIST_ROLES_BY_NAME)) { + if (str[0].toLowerCase().contains(LIST_ROLES_BY_NAME)) { String description = roles.getRole().get(0).getDescription(); if (description == null) description = ""; reportColHead("%-80s\n","Description: " + description); @@ -123,18 +123,24 @@ public class List extends BaseCmd { pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),XXXX_XX_XX); } } else { - UserRole ur = get(roleName,urs); + String fullname; + if(ns==null) { + fullname = roleName; + } else { + fullname = ns+'.'+roleName; + } + UserRole ur = get(fullname,urs); if (ur!=null && now.compare(ur.getExpires().normalize())>0) { if (ns==null) { pw().format(roleExpiredFormat, roleName,Chrono.dateOnlyStamp(ur.getExpires())); } else { - pw().format(roleExpiredFormat, "["+ns+"]"+roleName.substring(ns.length()),Chrono.dateOnlyStamp(ur.getExpires())); + pw().format(roleExpiredFormat, "["+ns+"]."+roleName,Chrono.dateOnlyStamp(ur.getExpires())); } } else { if (ns==null) { pw().format(roleFormat, roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):""); } else { - pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):""); + pw().format(roleFormat, "["+ns+"]."+roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):""); } } } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java index bdcf1e50..2471c21a 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/role/ListByUser.java @@ -21,6 +21,9 @@ package org.onap.aaf.auth.cmd.role; +import java.util.Map; +import java.util.TreeMap; + import org.onap.aaf.auth.cmd.AAFcli; import org.onap.aaf.auth.cmd.Cmd; import org.onap.aaf.auth.cmd.Param; @@ -30,10 +33,14 @@ import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.util.Split; import org.onap.aaf.misc.env.APIException; +import aaf.v2_0.Perm; import aaf.v2_0.Perms; +import aaf.v2_0.Role; import aaf.v2_0.Roles; +import aaf.v2_0.UserRole; import aaf.v2_0.UserRoles; /** @@ -60,33 +67,63 @@ public class ListByUser extends Cmd { public Integer code(Rcli client) throws CadiException, APIException { Perms perms=null; UserRoles urs=null; - Future fr = client.read( - "/authz/roles/user/"+user+(aafcli.isDetailed()?"?ns":""), - getDF(Roles.class) - ); + Roles roles = null; + int code; Future fur = client.read( "/authz/userRoles/user/"+user, getDF(UserRoles.class) ); - if (fr.get(AAFcli.timeout())) { - if (aafcli.isDetailed()) { - Future fp = client.read( - "/authz/perms/user/"+user+(aafcli.isDetailed()?"?ns":""), - getDF(Perms.class) - ); - if (fp.get(AAFcli.timeout())) { - perms = fp.value; + if (fur.get(AAFcli.timeout())) { + urs = fur.value; + code = fur.code(); + } else { + error(fur); + return fur.code(); + } + + if (aafcli.isDetailed()) { + roles = new Roles(); + Future fp = client.read( + "/authz/perms/user/"+user+"?ns&force", + getDF(Perms.class) + ); + if (fp.get(AAFcli.timeout())) { + Map rs = new TreeMap<>(); + perms = fp.value; + for( Perm p : perms.getPerm()) { + for(String sr : p.getRoles()) { + Role r = rs.get(sr); + if(r==null) { + r = new Role(); + String[] split = Split.split('|', sr); + if(split.length>1) { + r.setNs(split[0]); + r.setName(split[1]); + } else { + r.setName(sr); + } + rs.put(sr, r); + roles.getRole().add(r); + } + r.getPerms().add(p); + } } - } - if (fur.get(AAFcli.timeout())) { - urs = fur.value; - } - - ((List)parent).report(fr.value,perms,urs,HEADER,user); + } + code = fp.code(); } else { - error(fr); + roles = new Roles(); + java.util.List lr = roles.getRole(); + Role r; + for(UserRole ur : urs.getUserRole()) { + r = new Role(); + r.setName(ur.getRole()); + lr.add(r); + } } - return fr.code(); + + + ((List)parent).report(roles,perms,urs,HEADER,user); + return code; } }); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java index a1cb3e7a..1dfcc17f 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java @@ -137,6 +137,8 @@ public class Cred extends Cmd { pw().println(text); } else if (fp.code()==406 && option==1) { pw().println("You cannot delete this Credential"); + } else if (fp.code()==409 && option==0) { + pw().println("You cannot add two Passwords for same day"); } else { pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java index 12035a16..46d5d052 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java @@ -53,7 +53,7 @@ public class ID extends Cmd { final CredRequest cr = new CredRequest(); cr.setId(args[idx++]); - cr.setType(0); + cr.setType(10); if (args.length>idx) cr.setEntry(args[idx]); @@ -92,9 +92,11 @@ public class ID extends Cmd { pw().print(cr.getId()); pw().println(']'); } else if (fp.code()==202) { - pw().println("ID Action Accepted, but requires Approvals before actualizing"); + pw().println("ID Action Accepted, but requires Approvals before actualizing"); + } else if (fp.code()==409 && option==0) { + pw().println("FQI already exists"); } else if (fp.code()==406 && option==1) { - pw().println("You cannot delete this ID"); + pw().println("FQI does not exist"); } else { pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD); } diff --git a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_List.java b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_List.java index 61f41585..e4100a02 100644 --- a/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_List.java +++ b/auth/auth-cmd/src/test/java/org/onap/aaf/auth/cmd/test/ns/JU_List.java @@ -136,7 +136,7 @@ public class JU_List { user.setType(2); Assert.assertEquals("U/P2", list.getType(user)); user.setType(10); - Assert.assertEquals("Cert", list.getType(user)); + Assert.assertEquals("FQI", list.getType(user)); user.setType(200); Assert.assertEquals("x509", list.getType(user)); } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 37ca509a..9a6ef7e3 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -70,6 +70,7 @@ import org.onap.aaf.auth.dao.hl.Function; import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP; import org.onap.aaf.auth.dao.hl.Function.Lookup; import org.onap.aaf.auth.dao.hl.Function.OP_STATUS; +import org.onap.aaf.auth.dao.hl.PermLookup; import org.onap.aaf.auth.dao.hl.Question; import org.onap.aaf.auth.dao.hl.Question.Access; import org.onap.aaf.auth.env.AuthzTrans; @@ -1011,8 +1012,8 @@ public class AuthzCassServiceImpl > rlpd = ques.getPermsByUser(trans, user, - trans.requested(force)); + PermLookup pl = PermLookup.get(trans,ques,user); + Result> rlpd = pl.getPerms(trans.requested(force)); if (rlpd.notOK()) { return Result.err(rlpd); } @@ -1100,7 +1101,8 @@ public class AuthzCassServiceImpl > rlpd = ques.getPermsByUser(trans, user,trans.requested(force)); + PermLookup pl = PermLookup.get(trans,ques,user); + Result> rlpd = pl.getPerms(trans.requested(force)); if (rlpd.notOK()) { return Result.err(rlpd); } @@ -2428,16 +2430,22 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { - // Empty Creds should have no user_roles. + // Empty Creds should not have user_roles. Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); - if (rlurd.isOK()) { + if (rlurd.isOKhasData()) { for (UserRoleDAO.Data data : rlurd.value) { ques.userRoleDAO().delete(trans, data, false); } - } + } return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } boolean isLastCred = rlcd.value.size()==1; - - int entry = 0; - if (!trans.requested(force)) { - if (rlcd.value.size() > 1) { - CredRequest cr = (CredRequest)from; - String inputOption = cr.getEntry(); - if (inputOption == null) { - List list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); - String message = selectCredFromList(list, MayChangeCred.DELETE); - Object[] variables = buildVariables(list); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - try { - if (inputOption.length()>5) { // should be a date - Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); - entry = 0; - for (CredDAO.Data cd : rlcd.value) { - if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { - break; - } - ++entry; - } - } else { - entry = Integer.parseInt(inputOption) - 1; - } - } catch (NullPointerException e) { - return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); - } catch (NumberFormatException e) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - isLastCred = (entry==-1)?true:false; - } else { - isLastCred = true; - } - if (entry < -1 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } + int entry = -1; + int fentry = entry; + if(cred.value.type==CredDAO.FQI) { + entry = -1; + for(CredDAO.Data cdd : rlcd.value) { + ++fentry; + if(cdd.type == CredDAO.FQI) { + entry = fentry; + break; + } + } + } else { + if (!doForce) { + if (rlcd.value.size() > 1) { + CredRequest cr = (CredRequest)from; + String inputOption = cr.getEntry(); + if (inputOption == null) { + List list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); + String message = selectCredFromList(list, MayChangeCred.DELETE); + Object[] variables = buildVariables(list); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + try { + if (inputOption.length()>5) { // should be a date + Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); + for (CredDAO.Data cd : rlcd.value) { + ++fentry; + if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { + entry = fentry; + break; + } + } + } else { + entry = Integer.parseInt(inputOption) - 1; + int count = 0; + for (CredDAO.Data cd : rlcd.value) { + if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { + ++entry; + } + if(++count>entry) { + break; + } + } + } + } catch (NullPointerException e) { + return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); + } catch (NumberFormatException e) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + isLastCred = (entry==-1)?true:false; + } else { + isLastCred = true; + } + if (entry < -1 || entry >= rlcd.value.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } } Result fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, @@ -2943,7 +2972,11 @@ public class AuthzCassServiceImpl udr = null; if (!trans.requested(force)) { if (entry<0 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); + if(cred.value.type==CredDAO.FQI) { + return Result.err(Status.ERR_BadData,"FQI does not exist"); + } else { + return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); + } } udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); } else { @@ -3015,12 +3048,12 @@ public class AuthzCassServiceImpl cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires): cred1.type dlist = new ArrayList(); + dlist.add(null); String os; for(Object s : result.variables) { if(s!=null && (os=s.toString()).length()>0) { @@ -288,6 +289,7 @@ public abstract class AuthzFacadeImpl0) { return Result.err(Status.ERR_BadData,ok); } - } else { - to.type=0; } if (passwd != null) { to.cred = ByteBuffer.wrap(passwd.getBytes()); to.type = CredDAO.RAW; } else { - to.type = CredDAO.FQI; + to.type = CredDAO.NONE; } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index e48ae169..ace2c73f 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -119,7 +119,12 @@ public class AAFLurPerm extends AbsAAFLur { @Override public User code(Rcli client) throws CadiException, ConnectException, APIException { final long remoteStart = System.nanoTime(); - Future fp = client.read("/authz/perms/user/"+name,aaf.permsDF); + StringBuilder sb = new StringBuilder("/authz/perms/user/"); + sb.append(name); + if(details) { + sb.append("?force"); + } + Future fp = client.read(sb.toString(),aaf.permsDF); // In the meantime, lookup User, create if necessary User user = getUser(principal); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java index cfecc533..34c55cee 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java @@ -43,6 +43,7 @@ public abstract class AbsAAFLur extends AbsUserCache aaf; public Lur preemptiveLur=null; // Initial Use is for OAuth2, preemptive Lur private String[] supports; + protected boolean details; public AbsAAFLur(AAFCon con) throws APIException { super(con.access, con.cleanInterval, con.highCount, con.usageRefreshTriggerCount); @@ -62,7 +63,12 @@ public abstract class AbsAAFLur extends AbsUserCache